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A  portfolio  approach  to  security 
risk  assessments 

Y.  Seda-Sanabria,  US  Army  Corps  of  Engineers,  USA 
E.E.  Motheu,  Department  of  Homeland  Security,  USA 

J.D.  Morgeson,  Y.  Kirpichevsky,  M.A.  Foinberg,  J.A.  Decbont  and  V.  Utgoff,  Institute  for  Defense  Analysis,  USA 

The  Common  Risk  Model  for  Dorns  (CRM-D),  described  here,  was  developed  os  a  result  of  collaboration  between  the  US  Army  Corps  of 
Engineers  and  the  US  Department  of  Homeland  Security.  It  is  used  for  security  risk  assessment  of  dams,  navigation  locks,  hydro  projects, 
and  similar  infrastructure.  The  method  provides  o  systematic  approach  for  evaluating  and  comparing  security  risks  across  o  large  portfolio. 
Risk  is  calculated  for  attack  scenarios  (specific  adversary  using  o  specific  attack  vector  against  a  specific  target)  by  combining  consequence, 
vulnerability,  and  threat  estimates  in  a  way  that  accounts  for  the  relationships  among  these  variables.  The  CRM-D  can  effectively  quantify 
the  benefits  of  implementing  a  particular  risk  mitigation  strategy  and,  consequently,  enable  return-on-investment  analyses  for  multiple 

mitigation  options  across  a  large  portfolio. 


In  2005,  the  Institute  for  Defense  Analyses  (IDA) 
initiated  the  development  of  the  Common  Risk 
Model  (CRM)  for  evaluating  and  comparing  risks 
associated  with  the  nation’s  critical  infrastructure.  This 
model  incorporates  commonly  used  risk  metrics  that 
are  designed  to  be  transparent,  simple,  and  mathemat¬ 
ically  justifiable.  The  model  also  enables  comparisons 
of  calculated  risks  to  assets  and  systems  within  and 
across  critical  infrastructure  sectors. 

A  modified  version  of  this  model  has  been  under 
development  by  IDA  in  collaboration  with  the  US 
Army  Corps  of  Engineers  (USACE)  and  the  US 
Department  of  Homeland  Security  (DHS) .  The  modi¬ 
fied  model,  the  Common  Risk  Model  for  Dams  (CRM- 
D),  takes  into  account  the  unique  features  of  dams  and 
navigation  locks,  and  provides  a  systematic  approach 
for  evaluating  and  comparing  risks  from  adaptive 
threats  across  a  large  portfolio  [Seda-Sanabria  et  al., 
2011']. 

At  the  most  basic  level,  risk  is  estimated  for  an  attack 
scenario,  defined  as: 

•  a  specific  adversary  (for  example,  a  highly-capable 
transnational  terrorist  group); 

•  a  specific  target  (for  example,  the  main  impound¬ 
ment  structure  of  a  specific  dam);  and, 

•  a  specific  attack  vector  (for  example,  a  cargo  van 
loaded  with  explosives). 

Risk  is  defined  as  the  expected  value  of  loss  and  is  a 
function  of  three  variables:  threat  (T),  vulnerability 
(V),  and  consequences  (C): 

R=/(T,V,  C)  ...(1) 

Threat  is  defined  as  the  probability  of  an  attack  sce¬ 
nario  being  attempted  by  the  adversary,  given  the 
attack  on  one  of  the  targets  in  the  portfolio  under 
assessment,  or  P(A);  vulnerability,  as  the  probability 
of  defeating  the  target’s  defences,  given  that  the  attack 


*The  functional  relationships  among  the  variables  are  accounted  for  by 
estimating  P(A)  as  a  function  of  the  other  two  variables,  but  there  is  no 
stochastic  relationship  because  P(SIA)  and  expected  consequences  are 
estimated  as  point  values,  and  not  random  variables.  This  justifies  the 
use  of  the  product  function  [Cox,  2008^]. 

**Note  that  the  risk  metric  in  Eq.  2  is  also  conditional  on  the  attack 
within  a  portfolio  under  assessment.  The  “conditional  risk”  metric  is 
further  conditioned  on  the  particular  attack  being  chosen. 


is  attempted,  or  P(SIA);  and,  consequences,  as  the 
expected  consequences  of  the  attack,  given  that  the  tar¬ 
get’s  defences  are  defeated,  C.  Because  of  the  way  in 
which  CRM-D  estimates  these  three  variables,  it  is 
appropriate  to  calculate  risk  as  their  product: 

R  =  P(A)  X  P(SIA)  X  C<* **>  ...(2) 

CRM-D  also  defines  ‘conditional  risk’,  or  Rc,  as  risk 
for  the  attack  scenario,  given  that  this  scenario  is  cho- 
sen^ 

Rc  =  P(SIA)  X  C  ...  (3) 

The  consequence  and  risk  metrics  currently  consid¬ 
ered  in  the  CRM-D  are  loss  of  life  and  total  economic 
impacts.  The  sum  of  risks  for  all  the  attack  scenarios 
under  consideration  is  termed  ‘portfolio  risk’. 
Minimizing  portfolio  risk,  subject  to  available 
resources,  is  often  the  focus  of  risk  managers. 

Fundamental  concepts  of  CRM-D 

The  CRM-D  methodology  integrates  the  outputs  of 
three  separate  models:  consequences  (external  to 
CRM-D),  vulnerability,  and  threat.  Using  modelling  is 
a  natural  choice  for  estimating  the  outcomes  of  com¬ 
plex  physical  and  economic  processes,  such  as  conse¬ 
quences  from  attack,  but  is  equally  important  for  esti¬ 
mating  vulnerability  and  threat,  that  is,  variables 
which  require  more  subjective  input  from  subject  mat¬ 
ter  experts  (SMEs).  This  is  because  there  are  many 
possible  attack  scenarios,  and  the  set  is  continuously 
changing.  It  is  prohibitively  costly  and  time-consum¬ 
ing  to  elicit  expert  judgements  on  vulnerability  and 
threat  for  every  scenario,  and  to  repeat  the  elicitation 
process  every  time  a  new  scenario  is  introduced  or  old 
scenarios  are  modified.  This  makes  modelling  crucial 
when  developing  risk  estimates  in  support  of  return  on 
investment  (ROI)  analyses,  because  the  impacts  on 
risk  of  potential  risk-mitigation  improvements  need  to 
be  assessed  quickly. 

The  vulnerability  and  threat  models  are  based  on  data 
elicited  from  SMEs  in  a  way  that  makes  it  possible  to 
apply  elicited  SME  judgement  to  any  set  of  attack  sce¬ 
narios.  The  elicitations  were  conducted  for  estimating 
risk  from  highly  capable,  transnational  adversary 
groups.  Elicitations  in  support  of  estimating  risk  from 
other  types  of  adversary  are  currently  under  develop- 
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ment.  Because  the  adversaries’  capabilities  and/or 
intent  are  likely  to  change  with  time,  elicitations 
should  be  repeated  every  few  years  or  as  deemed 
appropriate. 

Vulnerability 

To  evaluate  the  vulnerability  of  a  target  to  a  specific 
attack  by  a  specific  adversary,  a  model  of  layered 
defences  is  adopted.  The  defensive  layers  protecting  a 
given  target  could  potentially  include  national  defences 
(for  example,  national  counter-terrorism  activities), 
local  defences  (for  example,  local  law  enforcement 
capabilities  to  detect  and  respond  to  potential  attacks), 
and  target  defences  (for  example,  on-site  security  sys¬ 
tems  and  protective  measures).  The  methodology  for 
producing  vulnerability  estimates  accounting  for  target 
defensive  layers  is  described  in  detail  by  Seda-Sanabria 
et  al.  [20 11^].  The  methodology  for  producing  vulnera¬ 
bility  estimates  for  national  and  local  defensive  layers 
is  currently  under  development. 

In  CRM-D,  an  attack  is  considered  ‘successful’  if 
every  defensive  layer  is  breached  successfully,  and  the 
attack  reaches  the  target.  Therefore,  for  the  conceptual 
attack  scenario  shown  in  Fig.  1,  P(SIA)  can  be  deter¬ 
mined  using  the  following  expression: 

P(SIA)  =  P(BIIA)  X  P(B2IB1)  x  P(B3IB2.B1)  ...  (4) 

where:  P(BIIA)  is  the  probability  of  successfully 
breaching  the  first  layer  given  the  specific  attacker 
under  consideration  attempts  this  attack;  P(B2IB1)  is 
the  probability  of  successfully  breaching  the  second 
layer  given  that  the  attacker  has  successfully  breached 
the  first  layer;  and,  P(B3IB2d31)  is  the  probability  of 
successfully  breaching  the  third  layer  given  that  the 
attacker  has  successfully  breached  the  first  and  the 
second  layers. 

Each  layer  is  defined  by  its  defensive  attributes.  For 
a  national  defensive  layer,  these  can  be  the  character¬ 
istics  of  relevant  programmes  and  activities  imple¬ 
mented  at  the  national  scale,  such  as  the  security 
screening  conducted  at  airports;  for  a  local  defensive 
layer,  these  can  be  the  level  of  participation  in  intelli¬ 
gence  information-sharing  of  local  law  enforcement 
agencies  and  their  prevention/response  capabilities; 
and  for  the  target  defensive  layers,  these  can  be  the 
characteristics  of  site  security  measures,  such  as  vehi¬ 
cle  barriers,  access  control  systems,  security  force, 
and  so  on. 

Regarding  target  defensive  layers,  there  is  a  rela¬ 
tively  small  number  of  combinations  of  defensive 
attributes  that  are  typically  implemented  on  dams  and 
related  facilities.  These  commonly  used  configura¬ 
tions  are  called  layer-defensive  configurations,  or 
LDCs.  Because  of  the  small  number  of  LDCs,  it  is 
feasible  to  elicit  probabilities  of  success  for  each  ref¬ 
erence  attack  vector  against  each  LDC  for  each  type 
of  attacker  under  consideration.  The  vulnerability 
estimate  for  a  given  LDC  reflects  subject-matter 
expert  (SME)  judgement  on  how  the  defensive  attrib¬ 
utes  of  that  LDC  would  perform  against  a  particular 
attacker  using  a  particular  attack  vector,  based  on  the 
attacker’s  capabilities  and  intent  and  the  attack  vec¬ 
tor’s  characteristics. 

Probabilities  of  success  against  individual  LDCs  are 
combined  into  a  P(SIA)  for  a  scenario  as  shown  in 
Eq.  4.  The  probability  of  success  against  a  layer  is 
conditional  on  which  layers  have  already  been 
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breached,  since  some  layers  can  degrade  attackers’  Fig.  1. 
capabilities  in  various  ways.  Further,  P(SIA)  incorpo-  Conceptual 
rates  the  possibility  that  some  layers  may  or  may  not  model  of  layered 
be  encountered  (for  example,  response  forces  may  or  defences. 
may  not  arrive  in  time  to  engage  the  adversary  before 
the  attack  succeeds).  The  process  of  estimating 
P(SIA)  in  light  of  these  factors  is  discussed  in  detail 
by  Morgeson  et  al.  [2013'^]. 

Threat 

Modelling  threat  from  goal-oriented,  adaptive  adver¬ 
saries  is  fundamentally  different  from  modelling 
potential  hazards  associated  with  forces  of  nature. 

Adversaries  evaluate  potential  attacks  based  on  criteria 
that  are  important  to  them  and  then  choose  the  attack 
which  suits  their  objectives  best.  When  the  adversary 
decision  criteria  change,  their  choice  may  change  as 
well.  Unlike  consequence  or  vulnerability  estimates,  a 
threat  estimate  for  an  attack  scenario  depends  not  only 
on  the  characteristics  of  that  scenario,  but  on  the  char¬ 
acteristics  of  all  attack  scenarios  that  the  adversary  is 
choosing  from. 

To  account  for  these  concepts,  the  CRM-D  includes 
a  ‘probabilistic  adversary  decision  model’  (PADM), 
which  is  composed  of  two  sub-models:  the  ‘adversary 
value  model’  (AVM)  and  the  ‘attack  choice  model’ 

(ACM).  The  decision  model  is  probabilistic  because 
no  aspect  of  the  adversary’s  future  decision  process 
can  be  known  with  certainty. 

Adversary  value  model 

This  quantifies  expert  judgement  about  how  adver¬ 
saries  evaluate  the  relative  attractiveness  of  attack  sce¬ 
narios,  based  on  the  scenarios’  characteristics  that  the 
adversary  is  likely  to  take  into  account.  These  fea¬ 
tures,  related  to  the  adversary  capabilities  and  intent, 
reflect  the  various  expected  benefits,  costs,  and  risks 
associated  with  each  attack  scenario.  The  adversary 
value  model  also  quantifies  the  underlying  uncertain¬ 
ty  about  the  value  system,  which  stems  from  the  dif¬ 
ferences  of  opinion  among  experts  and  the  uncertain¬ 
ty  of  each  individual  expert  about  the  attacker  value 
system. 

To  model  the  attack  scenario  evaluation  process  fol¬ 
lowed  by  an  adversary,  it  is  first  necessary  to  identi¬ 
fy  the  adversarial  goals  driving  the  selection  of  a  par¬ 
ticular  attack  scenario.  For  the  type  of  adversary 
under  consideration  (highly  capable,  transnational 
terrorist  organization),  this  was  conducted  through 
literature  review  and  interviews  with  selected  groups 
of  terrorism  experts  from  various  government  and 
research  organizations.  It  was  found  that  an  ideal 
attack  for  these  adversaries  would  cause  grave  physi- 
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Fig.  2.  Example  of  cal  and  psychological  damage  while  having  a  relative- 

a  set  of  ly  low  chance  of  failure  [Ackerman  et  al.,  2007^; 

hypothetical  attack  Davis  et  al.,  2009'’;  Libicki  et  al.,  2007’]. 
alternatives.  Based  on  the  assumed  goals,  the  following  variables 

were  identified  as  the  controlling  factors  influencing 
the  attack  scenario  evaluation  process  from  the  adver¬ 
sary’s  perspective; 

•  adversary’s  perception  of  the  probability  of  success¬ 
fully  defeating  the  national  and  local  defensive  layers; 

•  adversary’s  perception  of  the  probability  of  success¬ 
fully  defeating  the  target  defensive  layers,  given  suc¬ 
cess  against  the  national  and  local  defences; 

•  adversary’s  perception  of  the  expected  level  of  con¬ 
sequences  in  terms  of  the  loss  of  life  resulting  from  a 
successful  attack;  and, 

•  adversary’s  perception  of  the  expected  level  of  con¬ 
sequences  in  terms  of  the  economic  impacts  resulting 
from  a  successful  attack. 

These  key  variables,  the  quantification  of  which  is 
relatively  straightforward,  were  selected  from  a  larger 
set  of  variables  identified  as  potentially  relevant  for 
attack  scenario  evaluation  purposes.  For  example, 
according  to  background  research,  the  adversary  was 
deemed  to  value  spectacular  attacks  on  iconic  targets. 
However,  how  spectacular  an  attack  might  be  is  not 
easily  quantifiable,  and  iconicity  is  only  considered 
when  it  varies  across  targets  in  a  portfolio.  In  addition, 
an  event  deemed  as  spectacular  may  exhibit  a  strong 
correlation  with  loss  of  life  and  economic  damage,  and 
therefore  it  may  be  captured  by  the  key  variables 
selected  above. 

A  comprehensive  expert  elicitation  was  conducted 
with  participation  of  representatives  from  multiple 
federal  agencies,  owners  and  operators,  state  fusion 
centres,  and  other  state  agencies  responsible  for  law 
enforcement  and  public  safety.  The  elicitation  was 
conducted  using  a  self-paced,  interactive,  online  inter¬ 
view  process  using  the  Sawtooth  software  for  conjoint 
(trade-off)  analysis  [Orme,  2010*]. 

In  the  main  elicitation  task,  each  SME  was  presented 
with  10  or  20  different  sets  of  four  hypothetical  attack 
options.  The  options  were  created  by  systematically 
varying  the  values  of  the  key  attack  features  in  a  way 
that  makes  a  statistical  estimation  of  the  adversary’s 
value  system  more  efficient.  For  each  set  of  options, 
each  expert  was  asked  to  provide  the  probability  that 
each  of  the  options  in  the  set  would  be  chosen  by 


*For  example,  suppose  scenario  consequences  in  terms  of  loss  of  life 
and  economic  damage  are  equal  to  10  and  $10  million  respectively,  and 
the  combined  P(SIA)  is  equal  to  0.2.  If  P(SIA)  were  to  drop  to  0.1,  it 
would  require  an  offsetting  increase  in  consequences  equal  to  either  400 
lives  or  $2.5  billion,  for  the  adversary  to  retain  roughly  the  same  overall 
utility  for  the  scenario. 


adversaries,  given  that  one  of  them  would  be  chosen. 
Eliciting  probabilities  provides  a  way  of  incorporating 
each  SME’s  uncertainty.  Fig.  2  shows  an  example  of 
one  of  the  sets  of  hypothetical  attack  options  used  in 
the  elicitation. 

Statistical  modelling  provides  a  way  of  aggregating 
the  judgements  of  individual  SMEs  into  a  cumulative 
judgement,  and  of  quantifying  the  trade-offs  the  SMEs 
believe  the  adversaries  would  make  among  the  differ¬ 
ent  attack  features.  It  also  quantifies  uncertainty  about 
the  value  system,  which  stems  from  SME  uncertainty 
and  differences  of  opinion.  Estimating  the  value  sys¬ 
tem  involves  running  a  regression,  where  the  depend¬ 
ent  variable  is  the  expert’s  judgement  about  an  attack 
alternative,  and  the  independent  variables  are  values  of 
the  features  of  the  corresponding  attack  option.  The 
regression  is  a  version  of  conditional  logit  (a  regres¬ 
sion  model  appropriate  when  the  data  reflects  choices 
among  options)  which  is  modified  to  analyse  proba¬ 
bilistic  choice  data  [Blass  et  al.,  2010^;  Kirpichevsky 

e?fl/.,2012‘«]. 

The  adversary  value  system  takes  the  form  of  a  func¬ 
tional  relationship  among  the  key  decision  variables, 
which  is  chosen  to  best  fit  the  elicited  data.  The  effect 
of  each  of  the  variables  on  the  value  assigned  by  the 
adversary  to  attack  scenarios  (utility)  was  found  to 
have  a  concave  pattern:  increases  at  the  lower  end  of 
the  variable  ranges  result  in  greater  utility  increases. 
This  indicates  decision-making  consistent  with  thresh¬ 
olding:  for  example,  once  a  certain  level  of  probabili¬ 
ty  of  success  or  consequences  can  be  expected,  sce¬ 
nario  attractiveness  does  not  change  much,  whereas 
change  is  significant  below  the  threshold.  This  is  con¬ 
sistent  with  the  narrative  answers  provided  by  SMEs 
during  the  elicitation.  In  those  answers,  SMEs  also 
stressed  that  the  most  important  decision  criterion  for 
the  adversary  was  aversion  to  failure,  and  that  loss  of 
life  was  the  more  important  of  the  two  consequence 
variables,  which  was  reflected  in  the  estimated  value 
system** ***'. 

Attack  choice  model 

The  attack  choice  model  uses  the  estimated  adversary 
value  system  to  calculate  P(A)  for  any  set  of  attack 
scenarios  and  to  carry  out  ROI  analyses  for  risk  miti¬ 
gation  options.  To  make  the  P(A)  calculation  possible, 
attack  scenarios  in  the  portfolio  need  to  be  formulated 
in  terms  that  the  adversary  value  model  can  accommo¬ 
date.  This  involves  using  the  CRM-D  consequence  and 
vulnerability  models  to  estimate  the  values  for  loss  of 
life,  total  economic  impacts,  and  the  probabilities  of 
defeating  the  national/local  and  target  defences  for 
every  scenario  in  the  portfolio.  These  variables  are 
used  as  proxies  for  the  adversary  perceptions  of  these 
variables. 

The  attack  choice  model  then  uses  the  estimated 
adversary  value  function  and  the  uncertainty  around  it 
to  simulate  the  possible  utility  values  for  a  set  of  attack 
scenarios.  The  current  CRM-D  assumption  is  that  the 


**If  the  adversary  believes  that  risk  mitigation  might  involve  deception 
or  randomization,  they  might  not  necessarily  choose  a  scenario  that  is 
perceived  to  have  the  highest  value.  A  game  theory  module  is  under 
development  to  address  this  issue. 

***Because  P(A)  is  conditional  on  attack  within  a  portfolio,  deterrence 
is  not  modelled,  in  response  to  risk  mitigation,  the  P(A)  can  only  shift 
among  the  scenarios,  and  the  sum  of  P(A)  will  always  be  no  less  than  1 . 
Future  work  on  the  AVM  elicitation  will  enable  estimating  the  deterrence 
effect  of  investments. 
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adversary  selects  the  attack  scenario  perceived  to  have 
the  highest  value,  and  so  P(A)  for  an  attack  scenario  is 
calculated  as  the  fraction  of  the  simulations,  in  which 
the  scenario  has  the  highest  value  in  the  set***'. 

Because  CRM-D  models  adversaries  as  adaptive 
decision-makers,  it  is  important  to  note  that  some  risk 
mitigation  investments  may  decrease  P(A)  for  some 
scenarios,  while  causing  an  increase  for  other  scenar¬ 
ios****'.  Therefore,  it  is  theoretically  possible  for  an 
investment  aimed  at  risk  mitigation  actually  to 
increase  the  portfolio  risk  if  the  threat  shifts  to  attack 
scenarios  which  pose  more  risk.  Risk  managers  should 
be  mindful  of  the  complex  interactions  associated  with 
the  target  selection  process  used  by  adaptive  adver¬ 
saries. 

Pilot  implementation  at  USACE  projects 

In  2011,  the  USACE  initiated  a  pilot  implementation 
of  the  CRM-D  at  selected  of  dam  and  navigation  lock 
projects  in  the  USACE  Northwestern  Division 
(Columbia  river,  Willamette  river  tributary,  and 
Missouri  river  basins),  Mississippi  Valley  Division 
(Mississippi  river  basin),  and  Great  Lakes  and  Ohio 
River  Division  (Ohio  river  basin).  Each  project  had 
unique  features,  functions,  and  operational  conditions 
which  offered  ideal  conditions  to  test  the  capabilities 
of  the  methodology  and  its  applicability  to  a  large  port¬ 
folio. 

Risk  was  estimated  in  terms  of  expected  loss  of  life 
and  total  economic  damage  for  16  attack  scenarios 
associated  with  nine  dams  and  two  attack  vectors.  Eig. 
3  shows  the  product  of  P(A)  and  P(SIA)  plotted  against 
economic  consequences  for  attack  scenarios  (the  tar¬ 
gets  are  indexed  by  letters,  and  the  attack  vectors  by 
numbers).  Thus,  risk  in  terms  of  economic  conse¬ 
quences  could  be  determined  by  multiplying  the  two 
coordinates  together. 

Eig.  3  shows  iso-curves  that  could  represent  thresh¬ 
olds  of  risk  as  determined  by  a  decision-maker,  for 
example,  a  portfolio  owner.  The  curves  trace  those 
points  for  which  risk  is  greater  than  $50  million  (above 
the  red  line) ,  and  greater  than  $20  million  (above  the 
green  line).  Decision  makers  could  hypothetically  use 
such  information  to  identify  more  readily  those  dams 
that  they  choose  to  focus  on  for  developing  investment 
options.  The  risk  values  that  would  define  these  curves 
could  be  chosen  in  accordance  with  decision  makers’ 
priorities. 

A  portfolio  risk  manager  might  wish  to  assess  an 
impact  of  a  particular  investment  on  risk.  Eor  exam¬ 
ple,  the  addition  of  K  12-rated  vehicle  barriers  at 
seven  of  the  projects  where  they  had  not  been  previ¬ 
ously  installed  at  a  total  cost  of  less  than  $  1  million 
could  reduce  portfolio  risk  given  attack  by  $66  mil¬ 
lion  in  expected  economic  damage  and  34  lives.  To 
decide  whether  this  is  a  worthy  investment,  a  risk 
manager  would  have  to  assume  or  elicit  from  SMEs 
a  predicted  annual  frequency  of  attacks  in  the  portfo¬ 
lio  and  then  use  it  to  compare  this  and  other  invest¬ 
ments  with  the  time-discounted  values  of  the  result¬ 
ing  risk  reductions. 

Conclusion 

The  Common  Risk  Model  for  Dams  (CRM-D)  is  a  con¬ 
sistent,  mathematically  rigorous,  and  easy  to  imple¬ 
ment  method  for  security  risk  assessment  of  dams,  nav¬ 
igation  locks,  hydro  projects,  and  similar  infrastructure. 
This  methodology,  the  result  of  collaborative  efforts 


Fig.  3.  Scenarios 
by  economic 
consequences  of 
success  and 
probability  of 
success. 


between  the  US  Army  Corps  of  Engineers  and  the  US 

Department  of  Homeland  Security,  provides  a  system¬ 
atic  approach  for  evaluating  and  comparing  security 

risks  across  a  large  portfolio.  0 
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